Friday, February 13, 2015

Audit: Weak information security at BBG

Critical report

The Broadcasting Board of Governors has failed to comply with information security guidelines, according to an audit performed for the Office of Inspector General.
The audit said the Office of Cuba Broadcasting neglected to perform privacy impact assessments, which are designed to show what personally identifiable information is collected, why it's collected and how it will be used, shared, protected and stored.
Security shortcomings been an issue for several years at the BBG, which oversees the Office of Cuba Broadcasting. Weak security led to the hacking of BBG websites in 2011, a BBG official told inspectors.
Excerpts from the October 2014 report are below:

In accordance with the Federal Information Security Management Act of 2002 (FISMA), the Office of Inspector General (OIG) contracted with Williams, Adley & Company-DC, LLP (referred to as “we” in this report), to perform an independent audit of the Broadcasting Board of Governors (BBG) information security program’s compliance with Federal laws, regulations, and standards established by FISMA, the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST). We found that BBG was substantially not in compliance with FISMA, OMB, and NIST requirements.
Collectively, the information security control weaknesses we identified in this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.3 We identified control weaknesses in 9 of the 11 information security program areas that considerably impacted BBG’s information security program. The most significant information security deficiencies are related to the risk management framework, continuous monitoring program, [Redacted] contingency plans, configuration management, and the incident response and reporting program. In addition, information security program areas that need improvement include Plans of Action and Milestones (POA&M), remote access, identity and access management, and security training. Since FY 2010, the weak (and in some cases lack of) security controls adversely affected the confidentiality, integrity, and availability of information and information systems. As an example, according to a BBG official, the weak security controls resulted in the hacking of BBG Web sites in 2011.
In FY 2014, BBG continued to implement some controls to improve its information security program. For example, BBG categorized system information types and included applicable NIST Special Publication (SP) 800-53 controls in the security plans to improve the risk management process. BBG also added additional data fields in the POA&M database to track and remediate corrective actions. In addition, BBG has continued to be in compliance with contractor oversight requirements and has established a program to oversee systems operated on its behalf by contractors or other entities, including organization systems and services residing in the cloud external to BBG. For security capital planning, there have been no major Information Technology (IT) investments or capital investments funding in FY 2014.
We recognize that BBG made progress in the risk management and POA&M areas since FY 2013, but even with the progress made, we found that BBG was still not in compliance with FISMA, OMB, and NIST requirements. Although BBG continued to be in compliance in two information security program areas, capital planning and contractor oversight, BBG’s overall information security program has not been in compliance with FISMA, OMB, and NIST requirements since FY 2010.
We have found deficiencies with BBG’s risk management framework since FY 2010. According to NIST SP 800-37, Revision 1,7 BBG should conduct a privacy impact assessment on information systems in accordance with OMB policy. In addition, according to NIST SP 800-53, Revision 4,8 BBG should assess the security controls in an information system annually. However, in FY 2014, we identified the following weaknesses within the risk management framework that the Information Security Division should enforce:
Privacy impact assessments were not completed for the Office of Cuba Broadcasting Headquarters Network and Privacy Information Enclave systems.
An annual security control assessment was not conducted on the Identity Management System.
Without the Information Security Management Division enforcing a risk management framework, BBG cannot prioritize, assess, respond to, and monitor information security risk, which leaves BBG vulnerable to outside attacks and insider threats.

On the subject of security, the BBG on Feb. 11 gave a $9,000 contract to a Maryland detective.
The BBG has paid investigator James M. Bowman $167,598.79 since 2004, records show.